PKI Lab

Task 1: Host a local web server

I created ~/pki-demo/www/index.html and started a simple server with:

python3 -m http.server 8000 --directory ./www

The page loads at http://localhost:8000/.

Task 2: Show why HTTP is not secure

Capture on port 8000

In Wireshark, I captured on the loopback interface (lo0) and filtered with tcp.port == 8000. I opened the HTTP stream from the context menu.

Screenshot 1
Figure 1. Opening a specific HTTP request: right‑click a GET / packet, then choose Follow → HTTP Stream.

304 Not Modified

The first request returned 304 Not Modified because the browser sent If-Modified-Since. A 304 carries only headers, so there is no response body to read.
Screenshot 2
Figure 2. The first HTTP stream shows 304 Not Modified because the browser sent If‑Modified‑Since. No body is transferred.

Fresh 200 OK

I forced a fresh request with a hard reload or by running curl -v http://localhost:8000/. The server responded with 200 OK, and the HTML body appeared in plain text.

Screenshot 3
Figure 3. After a fresh fetch, the response is 200 OK and the HTML body is readable in clear text.

HTTP traffic is readable. An eavesdropper can see request paths, headers, and page contents.

Task 3: Use a self-signed certificate and enable HTTPS

Why a public CA will not issue a cert for localhost

Public certificate authorities validate control of public DNS names. localhost, 127.0.0.1, and ::1 are local addresses. They are not eligible for public certificates, so a self-signed certificate is used and then trusted locally.

Screenshot 4
Figure 4. Chrome indicates a secure connection to https://localhost:8443/ after trusting the self‑signed certificate.

Capture on port 8443

I ran the HTTPS server on port 8443, captured on lo0, and applied tcp.port == 8443. The packet list shows the handshake and encrypted data.

Screenshot 5
Figure 5. TLS handshake on port 8443. ClientHello and ServerHello are visible. In TLS 1.3, later handshake messages are encrypted.
Screenshot 6
Figure 6. TLS application phase. Wireshark shows packets labeled Encrypted Application Data.
Screenshot 7
Figure 7. Follow → TLS (or TCP) Stream. The bytes are ciphertext, not readable like the HTTP stream.
Screenshot 8
Figure 8. Saving the HTTPS capture to https_trace.pcapng in the project folder.

TLS encrypts the HTTP conversation. Observers can see metadata such as addresses, ports, and timing, but not the actual content.